Subject: Policy-Discussion
List archive
- From: Mark Lipscombe <mark AT cacert.org>
- To: Policy-Discussion <cacert-policy AT lists.cacert.org>, Board Mbrs <cacert-board AT lists.cacert.org>, cacert-root AT lists.cacert.org, dieter.hennig AT id.ethz.ch
- Subject: Re: root escrow
- Date: Tue, 23 Mar 2010 17:05:45 +1100
- Authentication-results: lists.cacert.org; dkim=pass (1024-bit key) header.i= AT cacert.org; dkim-asp=none
On 3/23/2010 2:21 AM, Dieter Hennig wrote:
z1 "The board is in control in the same way it controls all critical
infrastructure."
and
z4 "Board has de jure control of critical infrastructure, and can
exercise this as needed."
Let me assume, the two CAcert-members visiting the critical system. They
can produce all the keys, they need and put the subroots into the
signing server and the roots into the non-connected server.
To control the computer, the board has only to look they exist or not.
The board can also exercise the presence of the root key. Good.
But the board has to show, that not exist an illegal copy of the
root-certificate. How you would do this under this assumptions?
Hi Dieter,
I'm not sure the board has to "prove" the negative that a copy of the key has been made. The seemingly relevant audit criteria as it relates to the root key are at C.3 in the David Ross Criteria (DRC)[1].
The main requirements in this regard is that the use of the private key requires cooperative action by at least two CA personnel. In my proposal, the critical systems team would not know the passphrase for the key, so it would require the following people[2]:
* An access engineer
* Two critical systems administrators
* One or more people with one or more parts of the root key passphrase
This will mean that a minimum of four, and a maximum of however many people we decide to share the passphrase amongst will need to be present.
Even if you assume nefarious intent, you could still only do it with one less critical system admin -- you'd still need the access engineer for physical access, one system administrator for logical access and those people with all the parts of the key passphrase.
Unlike many of the other proposals, such an act would leave a substantial trail of information, including physical surveillance at the colocation facility. This gives an additional layer of protection, in that it both discourages improper access and allows it to be discovered and documented.
Regards,
Mark
[1] http://rossde.com/CA_review/CA_review_C.html#C3
[2] http://wiki.cacert.org/SecurityManual#Physical_access (see signing server at 2.3.2)
- root escrow, Daniel Black, 03/22/2010
- Re: root escrow, Mark Lipscombe, 03/22/2010
- Re: root escrow, Dieter Hennig, 03/22/2010
- Re: root escrow, Mark Lipscombe, 03/23/2010
- Re: root escrow, Dieter Hennig, 03/22/2010
- Re: root escrow, Mark Lipscombe, 03/22/2010
Archive powered by MHonArc 2.6.16.